Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 11:23
Behavioral task
behavioral1
Sample
Riga Client.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Riga Client.exe
Resource
win10v2004-20240709-en
General
-
Target
Riga Client.exe
-
Size
2.0MB
-
MD5
40ac7d11ebb91612d8d5c16c05af0a13
-
SHA1
543a6c16f8f058fb6ba029ee3a9c5fde92aaa212
-
SHA256
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
-
SHA512
223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c
-
SSDEEP
49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\Programs\\sysmon.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\Programs\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\Programs\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" ComInto.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3828 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 3472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 3472 schtasks.exe -
Processes:
resource yara_rule C:\componentCommon\ComInto.exe dcrat behavioral2/memory/3216-13-0x0000000000A00000-0x0000000000BAC000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Riga Client.exeWScript.exeComInto.exewinlogon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation Riga Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ComInto.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
ComInto.exewinlogon.exepid process 3216 ComInto.exe 4944 winlogon.exe -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\appcompat\\Programs\\sysmon.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\appcompat\\Programs\\sysmon.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" ComInto.exe -
Drops file in Program Files directory 7 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 ComInto.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe ComInto.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\ea1d8f6d871115 ComInto.exe File created C:\Program Files\Windows Mail\RuntimeBroker.exe ComInto.exe File opened for modification C:\Program Files\Windows Mail\RuntimeBroker.exe ComInto.exe File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 ComInto.exe File created C:\Program Files\Windows Portable Devices\smss.exe ComInto.exe -
Drops file in Windows directory 3 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Windows\appcompat\Programs\sysmon.exe ComInto.exe File created C:\Windows\appcompat\Programs\121e5b5079f7c0 ComInto.exe File created C:\Windows\System\Speech\cmd.exe ComInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
Riga Client.exewinlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings Riga Client.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings winlogon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2496 schtasks.exe 3432 schtasks.exe 3340 schtasks.exe 416 schtasks.exe 4968 schtasks.exe 4136 schtasks.exe 856 schtasks.exe 3372 schtasks.exe 2712 schtasks.exe 1308 schtasks.exe 1268 schtasks.exe 4924 schtasks.exe 3828 schtasks.exe 1716 schtasks.exe 1320 schtasks.exe 3940 schtasks.exe 3364 schtasks.exe 544 schtasks.exe 3268 schtasks.exe 4608 schtasks.exe 728 schtasks.exe 3788 schtasks.exe 4224 schtasks.exe 3908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ComInto.exewinlogon.exepid process 3216 ComInto.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe 4944 winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogon.exepid process 4944 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ComInto.exewinlogon.exedescription pid process Token: SeDebugPrivilege 3216 ComInto.exe Token: SeDebugPrivilege 4944 winlogon.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Riga Client.exeWScript.execmd.exeComInto.exewinlogon.exedescription pid process target process PID 740 wrote to memory of 3824 740 Riga Client.exe WScript.exe PID 740 wrote to memory of 3824 740 Riga Client.exe WScript.exe PID 740 wrote to memory of 3824 740 Riga Client.exe WScript.exe PID 3824 wrote to memory of 4252 3824 WScript.exe cmd.exe PID 3824 wrote to memory of 4252 3824 WScript.exe cmd.exe PID 3824 wrote to memory of 4252 3824 WScript.exe cmd.exe PID 4252 wrote to memory of 3216 4252 cmd.exe ComInto.exe PID 4252 wrote to memory of 3216 4252 cmd.exe ComInto.exe PID 3216 wrote to memory of 4944 3216 ComInto.exe winlogon.exe PID 3216 wrote to memory of 4944 3216 ComInto.exe winlogon.exe PID 4944 wrote to memory of 628 4944 winlogon.exe WScript.exe PID 4944 wrote to memory of 628 4944 winlogon.exe WScript.exe PID 4944 wrote to memory of 2584 4944 winlogon.exe WScript.exe PID 4944 wrote to memory of 2584 4944 winlogon.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\componentCommon\ComInto.exe"C:\componentCommon\ComInto.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Recovery\WindowsRE\winlogon.exe"C:\Recovery\WindowsRE\winlogon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d9d007-0d58-490a-8708-01b0c73edafe.vbs"6⤵PID:628
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfc0842-4a16-4437-b38c-75357d354c6d.vbs"6⤵PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\Programs\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\Programs\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710B
MD5bdbe869b12f8789377eb3cd4ca0a246a
SHA126fccb025912c7a9f62ad4bf0b7f2eb43aacd4fd
SHA2568a340b77105395593fa51ae5e7d9439cc916919159aed9c0b9a2c2c626e3e8c5
SHA512baac5832f0400bc019de3d2b66f6ff18674e7755550d187aaef464c0b6700fb50a1166e791b97b543f67fce75e77fafcf370b51b849f95bd3f0eeb89cc90d3d7
-
Filesize
486B
MD57e7cf160c65c8fe5c58ba0750fe14dde
SHA136d1a519bfada22cd1480d2bbc095b72c2730b91
SHA25691ea1c344d2d32c37596fe29c14ebf6dc80c975942a3666376f4fa29ea6d1bcc
SHA51268c0ba824e53ef879d1f95159130188ff1262fff12682c9d64ff9651334de12ab7beb1c73fa662e6eae604460fde6f93c48c7389727ce9f48f20a74db1253646
-
Filesize
1.6MB
MD59a0cee5a5ce317b7a70f88bb6aaa49e1
SHA195a779063656075a8ddc2f2164393fa59e3c93d9
SHA256701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4
-
Filesize
206B
MD5e986ea5d4cac976a6de65d3f1ef8b332
SHA16465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA2563ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11
-
Filesize
32B
MD5a0b9b0891c2cae67cd1beae705d09d4f
SHA1997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA25613593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb